embedding covert channels into tcp ip
TRANSCRIPT
-
7/28/2019 Embedding Covert Channels Into TCP IP
1/40
CMSC 691I Clandestine Channels
Embedding Covert
Channels into TCP/IPS.J. Murdoch, S. Lewis
University of Cambridge, United Kingdom7th Information Hiding Workshop, J une 2005
Sweety Chauhan
October 26, 2005
-
7/28/2019 Embedding Covert Channels Into TCP IP
2/40
CMSC 691I2
Clandestine Channels
Overview
New and Significant
Overview of Covert Channels
TCP/IP based Steganography Detection of TCP/IP Steganography
Conclusion
-
7/28/2019 Embedding Covert Channels Into TCP IP
3/40
CMSC 691I3
Clandestine Channels
New and Significant
Proposed a scheme Lathra for encoding
data in TCP/IP header not detected by
warden
A message can be hidden so that an
attacker cannot demonstrate its existence
without knowing a secret key
-
7/28/2019 Embedding Covert Channels Into TCP IP
4/40
CMSC 691I4
Clandestine Channels
Covert Channels
Communication in a non-obvious manner
Potential methods - to get information out
of the security perimeter Two Types:
Storage
Timing
-
7/28/2019 Embedding Covert Channels Into TCP IP
5/40
CMSC 691I5
Clandestine Channels
Types of Covert Channels
Storage Timing
Information conveyed
by writing or abstainingfrom writing
Information conveyed
by the timing of events
Clock not needed Receiver needs clock
-
7/28/2019 Embedding Covert Channels Into TCP IP
6/40
CMSC 691I6
Clandestine Channels
Where is this relevant?
The use of covert channels is relevant in
organizations that:
restrict the use of encryption in theirsystems
have privileged or private information
wish to restrict communication
monitor communications
-
7/28/2019 Embedding Covert Channels Into TCP IP
7/40
CMSC 691I7
Clandestine Channels
Network Covert Channels
Information hiding
placed in network headers AND/OR
conveyed through action/reaction Goal - channel undetectable or unobservable
Network watchers (sniffer, IDS, ..) will not be
aware that data is being transmitted
-
7/28/2019 Embedding Covert Channels Into TCP IP
8/40
CMSC 691I8
Clandestine Channels
Taxonomy (I)
Network covert channels can be
Storage-based
Timing-basedFrequency-based
Protocol-based
any combination of the above
-
7/28/2019 Embedding Covert Channels Into TCP IP
9/40
CMSC 691I9
Clandestine Channels
Taxonomy (II)
Each of the above categories constitute a
dimension of data
Information hiding in packet payload is
outside the realm of network covert channels
These cases fit into the broader field of
steganography
-
7/28/2019 Embedding Covert Channels Into TCP IP
10/40
CMSC 691I10
Clandestine Channels
Packet Header Hiding
IP Header TCP Header DATA
20-64 bytes 20-64 bytes 0-65,488 bytes
IP Source Address
IP Destination Address
TCP Source Port
TCP Destination Port
This is Information
Assurance Class
TCP/IP Header can serve as a
carrier for a steganographic
covert channel
-
7/28/2019 Embedding Covert Channels Into TCP IP
11/40
CMSC 691I11
Clandestine Channels
IP Header
0-44
bytes
Fields that may be used to embed steganographic data
-
7/28/2019 Embedding Covert Channels Into TCP IP
12/40
CMSC 691I12
Clandestine Channels
TCP Header
0-44
bytesTimestamp
-
7/28/2019 Embedding Covert Channels Into TCP IP
13/40
CMSC 691I13
Clandestine Channels
Storage Based
Information is leaked by hiding data in
packet header fields
IP identification
Offset
Options
TCP Checksum
TCP Sequence Numbers
-
7/28/2019 Embedding Covert Channels Into TCP IP
14/40
CMSC 691I14
Clandestine Channels
Timing Channels (I)
Information is leaked by triggering or
delaying events at specific time intervals
-
7/28/2019 Embedding Covert Channels Into TCP IP
15/40
CMSC 691I15
Clandestine Channels
Timing Channels (II)
-
7/28/2019 Embedding Covert Channels Into TCP IP
16/40
CMSC 691I16
Clandestine Channels
Frequency Based (I)
Information is encoded over many
channels of cover traffic The order or combination of cover channel
access encodes information
-
7/28/2019 Embedding Covert Channels Into TCP IP
17/40
CMSC 691I17
Clandestine Channels
Frequency Based (II)
-
7/28/2019 Embedding Covert Channels Into TCP IP
18/40
CMSC 691I18
Clandestine Channels
Protocol Based
Exploits ambiguities or non-uniform
features in common protocolspecifications
-
7/28/2019 Embedding Covert Channels Into TCP IP
19/40
CMSC 691I19
Clandestine Channels
Traditional Detection Mechanisms
Statistical methods
Storage-based Data analysis
Time-based Time analysis
Frequency-based Flow analysis
-
7/28/2019 Embedding Covert Channels Into TCP IP
20/40
CMSC 691I20
Clandestine Channels
Threat Model
Passive Warden Threat Model
Active Warden Threat Model
-
7/28/2019 Embedding Covert Channels Into TCP IP
21/40
CMSC 691I21
Clandestine Channels
IP Covert Channel
IP allows fragmentation and reassembly of
long datagrams, requiring certain extra
headers
For IP Networks: Data hidden in the IP header
Data hidden in ICMP Echo Request and Response Packets
Data tunneled through an SSH connection
Port 80 Tunneling, (or DNS port 53 tunneling)
In image files
-
7/28/2019 Embedding Covert Channels Into TCP IP
22/40
CMSC 691I22
Clandestine Channels
IP ID and TCP ISN Implementation
Two fields which are commonly used to
embed steganographic data are the IP IDand TCP ISN
Due to their construction, these fields
contain some structure Partially unpredictable
-
7/28/2019 Embedding Covert Channels Into TCP IP
23/40
CMSC 691I23
Clandestine Channels
Detection of TCP/IP Steganography
Each operating system exhibits well defined
characteristics in generated TCP/IP fields can be used to identify any anomalies that may
indicate the use of steganography
suite of tests applied to network traces to identify whether the
results are consistent with known operating systems
-
7/28/2019 Embedding Covert Channels Into TCP IP
24/40
CMSC 691I24
Clandestine Channels
IP ID Characteristics
1. Sequential Global IP ID
2. Sequential Per-host IP ID
3. IP-ID MSB Toggle
4. IP-ID Permutation
-
7/28/2019 Embedding Covert Channels Into TCP IP
25/40
CMSC 691I25
Clandestine Channels
TCP ISN Characteristics
5. Rekey Timer
6. Rekey Counter
7. ISN MSB Toggle8. ISN Permutation
9. Zero bit 15
10. Full TCP Collisions11. Partial TCP Collisions
-
7/28/2019 Embedding Covert Channels Into TCP IP
26/40
CMSC 691I26
Clandestine Channels
Explicit Steganography Detection
12. Nushu Cryptography encrypts data before including it in the ISN field
results in a distribution which is different from normally
generated by Linux and so will be detected by the otherTCP tests
-
7/28/2019 Embedding Covert Channels Into TCP IP
27/40
CMSC 691I27
Clandestine Channels
13. TCP Timestamp If a low bandwidth TCP connection is being used to
leak information
a randomness test can be applied to the leastsignificant bits of the timestamps in the TCP
packets
If too much randomness is detected in the LSBs
a steganographic covert channel is in use
-
7/28/2019 Embedding Covert Channels Into TCP IP
28/40
CMSC 691I28
Clandestine Channels
14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set)
excessive fragmentation
use of IP options
non-zero padding
unexpected TCP options (e.g. timestamps from
operating systems which do not generate them)
excessive re-ordering
-
7/28/2019 Embedding Covert Channels Into TCP IP
29/40
CMSC 691I29
Clandestine Channels
Results
-
7/28/2019 Embedding Covert Channels Into TCP IP
30/40
CMSC 691I30
Clandestine Channels
Detection-Resistant TCP
Steganography Schemes
Lathra - Robust scheme, using the TCP
ISNs generated by OpenBSD and Linux as
a steganographic carrier
Simply encoding data within the least
significant 24 bits of the ISN could be
detected by the warden
-
7/28/2019 Embedding Covert Channels Into TCP IP
31/40
CMSC 691I31
Clandestine Channels
Conclusion
TCP/IP header fields can be used as a
carrier for a steganographic covert channel
Two schemes for encoding data with ISNs
generated by OpenBSD and Linux indistinguishable from those generated by a
genuine TCP stack
-
7/28/2019 Embedding Covert Channels Into TCP IP
32/40
CMSC 691I32
Clandestine Channels
Future Work
Flexible covert channel scheme which can
be used in many channels
Create a protocol for jumping between
multiple covert channels
New schemes to detect different encoding
mechanisms in TCP/IP Header fields
-
7/28/2019 Embedding Covert Channels Into TCP IP
33/40
-
7/28/2019 Embedding Covert Channels Into TCP IP
34/40
CMSC 691I34
Clandestine Channels
Thanks a lot
For Your
Presence
-
7/28/2019 Embedding Covert Channels Into TCP IP
35/40
CMSC 691I35
Clandestine Channels
Any Questions
-
7/28/2019 Embedding Covert Channels Into TCP IP
36/40
CMSC 691I36
Clandestine Channels
Homework
Presentation Slides and Research Papers are available at :
www.umbc.edu/~chauhan2/CMSC691I/
http://www.umbc.edu/~chauhan2/CMSC691I/http://www.umbc.edu/~chauhan2/CMSC691I/ -
7/28/2019 Embedding Covert Channels Into TCP IP
37/40
CMSC 691I37
Clandestine Channels
Covert Channel Tools
SSH (SCP, FTP Tunneling, Telnet Tunneling, X-
Windows Tunneling, ...) - can be set to operate on
any port (
-
7/28/2019 Embedding Covert Channels Into TCP IP
38/40
CMSC 691I38
Clandestine Channels
Linux 2.0 ISN Generator
-
7/28/2019 Embedding Covert Channels Into TCP IP
39/40
CMSC 691I39
Clandestine Channels
Linux ISN and ID generator
-
7/28/2019 Embedding Covert Channels Into TCP IP
40/40
CMSC 691I40
Clandestine Channels
Open BSD ISN generator